This page describes how SoftDocket protects customer data across the application, infrastructure, and operations layers. It is a public, marketing-grade summary; the authoritative description is in the Data Processing Addendum (DPA) we sign with each Enterprise customer.
1. Encryption
- In transit: TLS 1.2+ for every public endpoint; HSTS preload enrolled; modern cipher suites only.
- At rest: AES-256 disk encryption for application databases, object storage, and backups.
- Application-level: sensitive fields (passwords, payment tokens, secret API keys) hashed or encrypted in addition to disk-level protection.
- Key management: managed KMS; automatic rotation; envelope encryption for sensitive blobs.
2. Tenant isolation
- Row-level tenant ID enforced in every application query.
- Separate per-tenant signing keys for outbound webhooks.
- Enterprise option: dedicated tenant + dedicated database; private VPC / on-prem available.
- Authoritative isolation tests run on every release; tenant-crossing bugs are P0 with public post-mortems.
3. Access control
- SSO: Google + Microsoft OIDC included; SAML + SCIM on Enterprise.
- RBAC: 20+ built-in roles; custom roles on Enterprise.
- MFA: required for admin roles, optional for others. WebAuthn supported.
- Internal access: SoftDocket engineering accesses customer data only with documented break-glass procedure, full audit trail, and customer notification on a defined cadence.
4. Monitoring + audit
- Centralised, append-only audit log of every administrative action; default 1-year retention, 7 years on Enterprise.
- Application + infrastructure telemetry shipped to a SIEM; alerting on anomalous access patterns.
- Read-only audit-log export available on Enterprise for customer SOC ingestion.
5. Vulnerability management
- Dependency scanning + SAST on every PR; high-severity findings block merge.
- DAST scanned weekly against staging.
- Third-party penetration test annually (cadenced from R1 S9.5 per RELEASE_PLAN §H.9). Summary letter available under NDA.
- Coordinated disclosure: report to [email protected]. Safe-harbour terms on the public Security page.
6. Backup, retention, deletion
- Encrypted, geographically separated daily backups; 30-day retention; restore tested quarterly.
- Per-data-class retention schedule documented in the DPA.
- Customer-initiated export anytime in standard formats (CSV / JSON / SQL dump on request).
- Tenant deletion: hard-delete within 30 days of contract end (or shorter on request), with deletion certificate.
7. Data residency
- Default: India region (Mumbai / Hyderabad availability zones).
- Enterprise: EU, US, or sovereign-cloud regions on request.
- No customer data leaves the chosen region for primary processing; transactional support metadata may cross regions per the DPA.
8. Incident response
- 24×7 on-call for severity-1 incidents; documented runbooks; quarterly tabletop exercises.
- Confirmed personal-data breach: customer notification within 72 hours (DPDP / GDPR aligned).
- Public post-mortems for material customer-facing incidents.
9. Business continuity
- Multi-AZ production deployment; documented RTO 4 hours, RPO 1 hour (Enterprise).
- Quarterly DR drills with documented results.
- BCP / DR plan summary available under NDA.
For SOC 2 reports, CAIQ + SIG Lite responses, pen-test summaries, sub-processor list, DPA, MSA, and BCP / DR plan summary, email [email protected].
